Related Topics
5 Secure Login Server
5.2 Initial Configuration Wizard
5.2.2 Initial Configuration
This section describes the modes that are possible for the initial configuration wizard.
This section describes the initial configuration of the Secure Login Server. The initialization wizard sets the values for the PKI certificates and for the user certificates. The following configuration options are available:
● Automatic
The initialization wizard generates the configuration of the PKI certificates and user certificates automatically.
You can change the configuration in each configuration step.
● Manual
In this option, you can configure the PKI certificates and user certificates manually. You can also import a CA certificate in a key-pair file and use the parameter and values from this file.
If you want to use a hardware security module user CA (HSM), see the related link.
● Migrate
You see this option if you have an older version of Secure Login Server. In the Migrate mode, the initial configuration wizard allows you to import the PKI as a file from the previous version. Thus you can migrate the configuration from your the previous version of the Secure Login Server.
● Skip All
If you choose this option, the initialization wizard skips the PKI creation and generates the user certificate configuration with the default values. You do not want to enter individual values.
Related Information
Using External User Certification Authorities [page 219]
You can optionally use, for example, hardware security module (HSM) boards or other PKCS#11-enabled devices as external user Certification Authorities (CAs).
5.2.2.1 Initial Configuration (Automatic)
Before you can work with the Secure Login Server, a wizard leads you through the initial configuration of the Secure Login Server.
Context
This section describes the initial configuration of the Secure Login Server. The initialization wizard accesses the Secure Login Server global directory, which contains the all the PKI information you need. It generates the PKI certificates and user certificates with the respective values automatically. Nevertheless you can change individual parameter values.
For more information about the parameters, see the related link below.
Procedure
1. Start the initial configuration using the browser URL:
http://localhost:<port>/slac or https://<host_name>:<SSL_port>/slac
Example
https://localhost:50001/slac
Note
If you want to start the initial configuration wizard from a remote computer, you have to use https.
2. To change a parameter, choose Edit.
The details section displays the parameters. Mandatory parameters are marked by an asterisk (*).
3. Enter the related value or choose from a list.
4. Save your changes.
If you want to undo your changes, choose Reset. This command restores the original configuration.
5. To get to User Certificate Configuration, choose Next.
6. Enter the related parameters.
7. Choose Finish to complete the initial configuration of the PKI certificates and user certificates.
Related Information
Parameters for Initial Configuration (PKI Certificates) [page 265]
This topic contains the parameters for the configuration of the PKI certificates.
5.2.2.2 Initial Configuration (Manual)
Before you can work with the Secure Login Server, a wizard leads you through manual steps for the initial configuration of the Secure Login Server.
Context
The manual configuration mode allows you to change values for the root CA, user CA, SAP CA, SSL CA, and the user certificate configuration. You can also generate an entry by importing a file.
Procedure
1. If you want to enter the values for the PKI and user certificates yourself, choose the Manual radio button.
2. (Optional) If you do not want to generate a root CA, mark the Skip Root CA checkbox. In each wizard step (except in the user CA step), you can skip the generation of each CA by marking the respective Skip field.
3. (Optional) Import an entry in a key-pair file. For more information, see the related link.
4. Enter the respective values. For more information about the parameters, see the related link below.
5. To get to User Certificate Configuration, choose Next.
6. Enter the related parameter. For more information, see the related link.
7. To complete the initial configuration, choose Finish.
Related Information
Parameters for Initial Configuration (PKI Certificates) [page 265]
This topic contains the parameters for the configuration of the PKI certificates.
Importing Certificate Entries from a File [page 165]
You can import entries for the root CA and/or the user CA during certificate management.
Parameters for User Certificate Configuration [page 292]
This table contains the parameters for user certificate configuration for the client authentication profile, which you can configure in the Secure Login Administration Console.
5.2.2.2.1 Transferring PKI Information to Secure Login Server
For migration purposes, you must make sure that the PKI information of Secure Login Server 1.0 is available for your migrated Secure Login Server 2.0.
Context
If you want to use the automatic initial configuration of Secure Login Server during the migration of Secure Login Server 2.0 from 1.0, you must make sure that the PKI information of Secure Login Server 1.0 is available for use.
The initialization wizard of the initial configuration accesses the global directory, which contains all the PKI information you need. It generates the PKI certificates and user certificates with the respective values automatically. This is the reason why you must transfer the PKI information. Proceed as follows:
You must copy the entire directory and its content from the AS Java environment of your Secure Login Server 1.0.
Simply copy it and insert it accordingly into the environment where your AS Java with Secure Login Server 2.0 is located.
Procedure
1. In the Application Server Java, go to the following directory:
/usr/sap/<SID>/SYS/global/SecureLoginServer
2. Copy the whole directory to a directory with the corresponding name in the AS Java where your Secure Login Server 2.0 is located.
The initial configuration wizard is now able to access your PKI information automatically.
3. Start the initial configuration. For more information, see related link.
Related Information
Initial Configuration Wizard [page 160]
After the deployment of Secure Login Server an initial configuration is required
5.2.2.3 Importing Certificate Entries from a File
You can import entries for the root CA and/or the user CA during certificate management.
Context
You want to import entries and parameters for the root CA or the user CA from a key-pair file using the initialization wizard for the generation of PKI and user certificates.
Note
If you want to migrate from Secure Login Server 1.0 to the current version, we recommend that you migrate the PKI.
Procedure
1. Choose Import
The dialog box Import Certificate appears. All fields are marked as mandatory.
2. Select the file type in the Entry Type field. The options PSE Key Pair and PKCS#12 Key Pair are available. You can only import files with the file extensions pse or p12.
Note
If you are migrating the Secure Login Server, import the PSE file with the respective PKI. Since this file is encrypted, you are prompted to enter a password.
3. Enter the path of the entry file in the next field or browse to the file with Browse...
4. (If applicable) If the entry is decrypted and protected by a password, enter the password to decrypt the file.
5. To complete the import, choose Save.
5.3 Administration
This topic contains administration tasks such as starting Secure Login Administration Console, password management, and stopping and starting Secure Login Server.